b'      DEPARTMENT OF HEALTH & HUMAN SERVICES                               Office of Inspector General\n\n\n                                                                         Washington, D.C. 20201\n\n\n\n\nFebruary 17, 2011\n\nTO:            Donald M. Berwick, M.D.\n               Administrator\n               Centers for Medicare & Medicaid Services\n\n\nFROM:          /Daniel R. Levinson/\n               Inspector General\n\n\nSUBJECT:       Review of Medicare Contractor Information Security Program Evaluations for\n               Fiscal Year 2008 (A-18-09-30200)\n\n\nThe attached final report provides the results of our Medicare contractor information security\nprogram evaluations for fiscal year 2008.\n\nThe Medicare Prescription Drug, Improvement, and Modernization Act of 2003 added\ninformation security requirements for Medicare administrative contractors, fiscal intermediaries,\nand carriers to section 1874A of the Social Security Act (the Act) (42 U.S.C. \xc2\xa7 1395kk:-l).\nPursuant to section 1874A of the Act, each Medicare contractor must have its information\nsecurity program evaluated annually by an independent entity. Section 1874A of the Act further\nrequires the Inspector General, Department of Health & Human Services, to submit to Congress\nannual reports on the results of these evaluations, to include assessments of their scope and\nsufficiency.\n\nSection 8L of the Inspector General Act, 5 U.S.C. App., requires that the Office of Inspector\nGeneral (OIG) post its publicly available reports on the OIG Web site. Accordingly, this report\nwill be posted at http://oig.hhs.gov.\n\nIf you have any questions or comments about this report, please do not hesitate to call me, or\nyour staff may contact Lori S. Pilcher, Assistant Inspector General for Grants, Internal Activities,\nand Information Technology Audits, at (202) 619-1175 or through email at\nLori.Pilcher@oig.hhs.gov. Please send us your final management decision, including any action\nplan, as appropriate, within 60 days. Please refer to report number A-18-09-30200 in all\ncorrespondence.\n\n\nAttachment\n\x0c Department of Health & Human Services\n            OFFICE OF\n       INSPECTOR GENERAL\n\n\n\n\nREVIEW OF MEDICARE CONTRACTOR\n     INFORMATION SECURITY\n   PROGRAM EVALUATIONS FOR\n       FISCAL YEAR 2008\n\n\n\n\n                       Daniel R. Levinson\n                        Inspector General\n\n                         February 2011\n                         A-18-09-30200\n\x0c                        Office of Inspector General\n                                          http://oig.hhs.gov\n\n\n\nThe mission of the Office of Inspector General (OIG), as mandated by Public Law 95-452, as amended, is\nto protect the integrity of the Department of Health & Human Services (HHS) programs, as well as the\nhealth and welfare of beneficiaries served by those programs. This statutory mission is carried out\nthrough a nationwide network of audits, investigations, and inspections conducted by the following\noperating components:\n\nOffice of Audit Services\n\nThe Office of Audit Services (OAS) provides auditing services for HHS, either by conducting audits with\nits own audit resources or by overseeing audit work done by others. Audits examine the performance of\nHHS programs and/or its grantees and contractors in carrying out their respective responsibilities and are\nintended to provide independent assessments of HHS programs and operations. These assessments help\nreduce waste, abuse, and mismanagement and promote economy and efficiency throughout HHS.\n\nOffice of Evaluation and Inspections\nThe Office of Evaluation and Inspections (OEI) conducts national evaluations to provide HHS, Congress,\nand the public with timely, useful, and reliable information on significant issues. These evaluations focus\non preventing fraud, waste, or abuse and promoting economy, efficiency, and effectiveness of\ndepartmental programs. To promote impact, OEI reports also present practical recommendations for\nimproving program operations.\n\nOffice of Investigations\nThe Office of Investigations (OI) conducts criminal, civil, and administrative investigations of fraud and\nmisconduct related to HHS programs, operations, and beneficiaries. With investigators working in all 50\nStates and the District of Columbia, OI utilizes its resources by actively coordinating with the Department\nof Justice and other Federal, State, and local law enforcement authorities. The investigative efforts of OI\noften lead to criminal convictions, administrative sanctions, and/or civil monetary penalties.\n\nOffice of Counsel to the Inspector General\nThe Office of Counsel to the Inspector General (OCIG) provides general legal services to OIG, rendering\nadvice and opinions on HHS programs and operations and providing all legal support for OIG\xe2\x80\x99s internal\noperations. OCIG represents OIG in all civil and administrative fraud and abuse cases involving HHS\nprograms, including False Claims Act, program exclusion, and civil monetary penalty cases. In\nconnection with these cases, OCIG also negotiates and monitors corporate integrity agreements. OCIG\nrenders advisory opinions, issues compliance program guidance, publishes fraud alerts, and provides\nother guidance to the health care industry concerning the anti-kickback statute and other OIG enforcement\nauthorities.\n\x0c                         Notices\n\n\n    THIS REPORT IS AVAILABLE TO THE PUBLIC\n              at http://oig.hhs.gov\n\n Section 8L of the Inspector General Act, 5 U.S.C. App., requires\n that OIG post its publicly available reports on the OIG Web site.\n\nOFFICE OF AUDIT SERVICES FINDINGS AND OPINIONS\n\n The designation of financial or management practices as\n questionable, a recommendation for the disallowance of costs\n incurred or claimed, and any other conclusions and\n recommendations in this report represent the findings and\n opinions of OAS. Authorized officials of the HHS operating\n divisions will make final determination on these matters.\n\x0c                                   EXECUTIVE SUMMARY\n\nBACKGROUND\n\nThe Medicare Prescription Drug, Improvement, and Modernization Act of 2003 added\ninformation security requirements for Medicare administrative contractors (MAC), fiscal\nintermediaries, and carriers to the Social Security Act (the Act). These contractors process and\npay Medicare fee-for-service claims. Each Medicare contractor must have its information\nsecurity program evaluated annually by an independent entity, and these evaluations must\naddress the eight major requirements enumerated in the Federal Information Security\nManagement Act of 2002 (FISMA). To comply with this provision, the Centers for Medicare\n& Medicaid Services (CMS) contracted with PricewaterhouseCoopers (PwC) to evaluate\ninformation security programs at the MACs, fiscal intermediaries, and carriers using a set of\nagreed-upon procedures.\n\nThe Act also requires evaluations of the information security controls for a subset of systems but\ndoes not specify the criteria for these evaluations. To satisfy this requirement, CMS developed\nan information security assessment methodology to test segments of the claims processing\nsystems at Medicare data centers, which operate the computer systems that process and pay\nMedicare fee-for-service claims. CMS contracted with JANUS Associates, Inc. (JANUS), to\nperform technical assessments at Medicare data centers using the assessment methodology.\n\nThe Inspector General, Department of Health & Human Services, must submit to Congress\nannual reports on the results of these evaluations, to include assessments of their scope and\nsufficiency. This report fulfills that responsibility for fiscal year (FY) 2008.\n\nOBJECTIVES\n\nOur objectives were to (1) assess the scope and sufficiency of Medicare contractor information\nsecurity program evaluations and data center technical assessments and (2) report the results of\nthose evaluations and assessments.\n\nSUMMARY OF RESULTS\n\nPwC\xe2\x80\x99s evaluations of the contractor information security programs were adequate in scope and\nsufficiency. We could not determine the scope and sufficiency of the JANUS work for many of\nthe data center technical assessments because of several issues with its working papers. PwC\nreported a total of 161 gaps at 26 Medicare contractors. JANUS reported a total of 48 gaps at\n8 data centers.\n\nAssessment of Scope and Sufficiency\n\nPwC\xe2\x80\x99s evaluations of the contractor information security programs adequately encompassed in\nscope and sufficiency the eight FISMA requirements referenced in the Act.\n\n\n\n\n                                                 i\n\x0cWe could not determine the scope and sufficiency of the JANUS work for many of the data\ncenter technical assessments because of several issues with its working papers, such as\ninsufficient evidence that all of the testing procedures had been completed, illegible handwriting,\nlack of cross-references, and incomplete or undocumented elements. For two data centers,\nJANUS omitted from its reports gaps identified during testing.\n\nResults of Evaluations and Assessments\n\nThe results of the contractor information security program evaluations and data center technical\nassessments are presented in terms of gaps, which are defined as the differences between FISMA\nor CMS core security requirements and the contractors\xe2\x80\x99 implementation of those requirements.\n\nResults of Contractor Information Security Program Evaluations\n\nIn the 26 PwC evaluation reports for FY 2008, which covered all MACs, fiscal intermediaries,\nand carriers, PwC identified a total of 161 gaps. The number of gaps per contractor ranged from\n0 to 27 and averaged 6. The most gaps occurred in the following FISMA control areas: testing\nof information security controls (50 gaps at 20 contractors), security program and system\nsecurity plans (31 gaps at 16 contractors), continuity of operations (25 gaps at 11 contractors),\nand policies and procedures to reduce risk (23 gaps at 14 contractors).\n\nThe number of gaps reported in the PwC FY 2008 evaluation reports increased by 44 percent\nwhen compared to the results for FY 2007. While the number of contractors with no gaps\nincreased by 3 (300 percent), the number of contractors with 10 or more gaps increased by\n2 (67 percent).\n\nResults of Data Center Technical Assessments\n\nThe eight Medicare data center technical assessment reports prepared by JANUS identified a\ntotal of 48 gaps. The number of gaps reported per data center ranged from 1 to 16 and averaged\n6. Most of the security gaps occurred in the following security control categories: audit and\naccountability (15 gaps at 3 data centers), contingency planning (9 gaps at 5 data centers), and\naccess control (7 gaps at 1 data center).\n\nThe total number of gaps identified in FY 2008 (48) was 151 gaps fewer than the number\nidentified in FY 2007 (199). However, this was due to the decrease in the number of data centers\nreviewed (13 in FY 2007, 8 in FY 2008) and the number of categories and specific security\ncontrol categories tested in FY 2008. CMS uses a rotational approach in performing its technical\nassessments of data centers. Some categories are not tested every year. Access control, the\ncategory with the most gaps in FY 2007 (111 gaps), was tested at only 1 data center in FY 2008,\nbut it was tested at 13 data centers in FY 2007. We did not perform a detailed comparison of the\nnumber of gaps identified within the categories tested for the 2 FYs because the same categories\nwere not tested by JANUS at all operational data centers in FY 2008.\n\n\n\n\n                                                 ii\n\x0cOf the 48 gaps JANUS identified at the 8 data centers, 10 gaps were resolved and closed during\nor after JANUS\xe2\x80\x99s onsite visits to the data centers. Hence, there were a total of 38 gaps at data\ncenters requiring corrective action in FY 2008.\n\nRECOMMENDATION\n\nWe recommend that CMS review all contractor documentation related to future data center\ntechnical assessments and ensure that the work performed complies with CMS contractual\nrequirements. At a minimum, this should include a review of test plans to ensure that the\ncontractor has completed all required testing procedures and a review of contractor working\npapers to verify that reported gaps have been adequately supported, identified, and included in\nthe technical assessment reports.\n\nCENTERS FOR MEDICARE & MEDICAID SERVICES COMMENTS\n\nIn written comments to our draft report, CMS concurred with our recommendation. CMS also\nstated that it would take the appropriate actions to address the identified issues. We have\nincluded CMS\xe2\x80\x99s comments in their entirety in Appendix G.\n\n\n\n\n                                                iii\n\x0c                                                  TABLE OF CONTENTS\n\n\n                                                                                                                             Page\n\nINTRODUCTION............................................................................................................. 1\n\n          BACKGROUND .....................................................................................................1\n              The Medicare Program ................................................................................. 1\n              Medicare Prescription Drug, Improvement, and Modernization\n               Act of 2003 ................................................................................................ 1\n              Centers for Medicare & Medicaid Services Evaluation Process\n               for Fiscal Year 2008................................................................................... 2\n\n          OBJECTIVES, SCOPE, AND METHODOLOGY .................................................3\n              Objectives ..................................................................................................... 3\n              Scope ............................................................................................................. 3\n              Methodology ................................................................................................. 3\n\nRESULTS OF REVIEW .................................................................................................. 4\n\n          ASSESSMENT OF SCOPE AND SUFFICIENCY ................................................4\n\n          RESULTS OF CONTRACTOR INFORMATION SECURITY PROGRAM\n          EVALUATIONS .....................................................................................................5\n              Testing of Information Security Controls ..................................................... 6\n              Security Programs and System Security Plans ............................................. 7\n              Continuity of Operations Planning ............................................................... 8\n              Policies and Procedures To Reduce Risk...................................................... 8\n\n          RESULTS OF DATA CENTER TECHNICAL ASSESSMENTS .........................9\n              Audit and Accountability .............................................................................11\n              Contingency Planning ................................................................................. 12\n              Access Control ............................................................................................ 12\n\n          CONCLUSION ......................................................................................................12\n\n          RECOMMENDATION .........................................................................................13\n\n          CENTERS FOR MEDICARE & MEDICAID SERVICES COMMENTS ..........13\n\nAPPENDIXES\n\n        A: ASSESSMENT OF SCOPE AND SUFFICIENCY FOR THE JANUS DATA\n           CENTER ASSESSMENTS\n\n\n\n                                                                     iv\n\x0cB: LIST OF GAPS BY FEDERAL INFORMATION SECURITY MANAGEMENT ACT\n   OF 2002 CONTROL AREA AND MEDICARE CONTRACTOR\n\nC: PERCENTAGE CHANGE IN GAPS PER MEDICARE CONTRACTOR\n\nD: MEDICARE CONTRACTOR CHANGE IN TOTAL GAPS BY FEDERAL\n   INFORMATION SECURITY MANAGEMENT ACT OF 2002 CONTROL AREA\n\nE: RESULTS OF MEDICARE CONTRACTOR EVALUATIONS FOR FEDERAL\n   INFORMATION SECURITY MANAGEMENT ACT OF 2002 CONTROL AREAS\n   WITH THE GREATEST NUMBER OF GAPS\n\nF: LIST OF GAPS BY NATIONAL INSTITUTE OF STANDARDS AND\n   TECHNOLOGY SECURITY CONTROL AREA AND DATA CENTER\n\nG: CENTERS FOR MEDICARE & MEDICAID SERVICES COMMENTS\n\n\n\n\n                             v\n\x0c                                             INTRODUCTION\n\nBACKGROUND\n\nThe Medicare Program\n\nThe Centers for Medicare & Medicaid Services (CMS) administers the Medicare program.\nMedicare is a health insurance program for people age 65 or older, people under age 65 with\ncertain disabilities, and people of all ages with end-stage renal disease. In fiscal year (FY) 2008,\nMedicare paid more than $395 billion on behalf of more than 45 million Medicare beneficiaries.\nCMS contracts with Medicare Administrative Contractors (MAC), fiscal intermediaries, and\ncarriers to administer Medicare benefits paid on a fee-for-service basis. Some MACs, fiscal\nintermediaries, and carriers operate in-house data centers to process Medicare claims, while\nothers use external data centers for this purpose.\n\nIn FY 2008, 16 distinct entities served as fiscal intermediaries, carriers, and Part A/B MACs.\nFour of these entities also served as Durable Medical Equipment MACs. Five of the sixteen\nentities also operated Medicare data centers, and two external entities operated the remaining\nthree data centers. Thus, 18 distinct entities processed and paid Medicare fee-for-service claims.\n\nMedicare Prescription Drug, Improvement, and Modernization Act of 2003\n\nThe Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA) added\ninformation security requirements for MACs, fiscal intermediaries, and carriers to section 1874A\nof the Social Security Act (the Act). 1 (See 42 U.S.C. \xc2\xa7 1395kk-1.) Pursuant to section\n1874A(e)(1) of the Act, each MAC, fiscal intermediary, and carrier must have its information\nsecurity program evaluated annually by an independent entity. This section requires that these\nevaluations address the eight major requirements enumerated in the Federal Information Security\nManagement Act of 2002 (FISMA). (See 44 U.S.C. \xc2\xa7 3544(b).) These requirements, referred to\nas \xe2\x80\x9cFISMA control areas\xe2\x80\x9d in this report, are:\n\n        1. periodic risk assessments,\n\n        2. policies and procedures to reduce risk,\n\n        3. security program and system security plans,\n\n        4. security awareness training,\n\n        5. testing of information security controls,\n\n        6. remedial actions,\n\n\n1\n  The MMA contracting reform provisions added to section 1874A of the Act replace existing fiscal intermediaries\nand carriers with MACs, which are to be competitively selected. Until such time as all MACs are in place, the\nrequirements of section 1874A apply to fiscal intermediaries and carriers.\n\n                                                        1\n\x0c       7. incident response, and\n\n       8. continuity of operations planning.\n\nSection 1874A(e)(2)(A)(ii) of the Act requires that the effectiveness of information security\ncontrols be tested for an appropriate subset of Medicare contractors\xe2\x80\x99 information systems.\nHowever, this section does not specify the criteria for evaluating these security controls. CMS\ndeveloped an information security assessment methodology to comply with this provision.\n\nAdditionally, section 1874A(e)(2)(C)(ii) of the Act requires the Inspector General of the\nDepartment of Health & Human Services to submit to Congress annual reports on the results of\nsuch evaluations, including assessments of their scope and sufficiency. This report fulfills that\nresponsibility for FY 2008.\n\nCenters for Medicare & Medicaid Services Evaluation Process for Fiscal Year 2008\n\nCMS developed agreed-upon procedures (AUP) for the program evaluation based on the\nrequirements of section 1874A(e)(1) of the Act, FISMA, information security policy and\nguidance from the Office of Management and Budget and the National Institute of Standards and\nTechnology (NIST), and the Government Accountability Office\xe2\x80\x99s (GAO) Federal Information\nSystems Controls Audit Manual (FISCAM). The independent auditors, PricewaterhouseCoopers\n(PwC), under contract with CMS, used the AUPs to evaluate the information security programs\nat the 26 MACs, fiscal intermediaries, and carriers. The AUPs are the same as those used in\nFY 2007. PwC performed the evaluations and issued separate reports for the 26 MACs, fiscal\nintermediaries, and carriers.\n\nTo comply with the section 1874A(e)(2)(A)(ii) requirement to test the effectiveness of\ninformation security controls for an appropriate subset of contractors\xe2\x80\x99 information systems, CMS\ncontracted with JANUS Associates, Inc. (JANUS), to plan, develop, and implement a\ncomprehensive program to perform testing of information security controls at eight Medicare\ndata centers. JANUS performed the assessments and issued separate reports for each of the eight\nMedicare data centers.\n\nIt is important to note that entities and contractors are not the same. The 18 distinct entities\nprovided to CMS 34 contracted services to fulfill their responsibilities as Medicare fiscal\nintermediaries, carriers, MACs, or data centers. Testing was performed for each of the\ncontracted services. Table 1 summarizes the change in the number of Medicare contractors and\ndata centers tested. In FY 2007, there were 31 Medicare contractors and 13 Medicare data\ncenters tested. Changes during FY 2008 resulted in the testing of 26 Medicare contractors and\n8 Medicare data centers.\n\n\n\n\n                                                2\n\x0c    Table 1: Change in the Number of Medicare Contractors and Data Centers Tested\n                                                                   Medicare    Medicare\n                                                                  Contractors Data Centers\nEnding Balance, FY 2007                                                31          13\nLess: Entities that were no longer in the Medicare program by the      10           6\nend of FY 2008\nAdd: MACs                                                               5\n                              2\nAdd: Enterprise data centers                                                        1\nEnding Balance, FY 2008                                                26           8\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\n\nObjectives\n\nOur objectives were to (1) assess the scope and sufficiency of Medicare contractor information\nsecurity program evaluations and data center technical assessments and (2) report the results of\nthose evaluations and assessments.\n\nScope\n\nWe evaluated the FY 2008 results of the independent evaluations and technical assessments of\nMedicare contractors\xe2\x80\x99 information security programs. Our review did not include an evaluation\nof internal controls. We performed our reviews of PwC and JANUS working papers at CMS\nheadquarters in Baltimore, Maryland, and at Office of Inspector General regional offices.\n\nMethodology\n\nTo accomplish our objectives, we performed the following steps:\n\n        \xe2\x80\xa2    To assess the scope of the evaluations of contractor information security programs,\n             we determined whether the AUPs included the eight FISMA control requirements.\n\n        \xe2\x80\xa2    To assess the scope of the data center technical assessments, we reviewed the contract\n             and statement of work between CMS and JANUS and verified that JANUS performed\n             the work that CMS had specified.\n\n        \xe2\x80\xa2    To assess the sufficiency of the evaluations of contractor information security\n             programs, we reviewed PwC working papers supporting the evaluation reports to\n             determine whether PwC completed the AUPs listed in the reports. We also\n             determined whether PwC conducted the evaluations in accordance with attestation\n             engagement standards established by the American Institute of Certified Public\n             Accountants and in accordance with Government Auditing Standards. In addition, we\n\n2\n  As part of CMS\xe2\x80\x99s data center consolidation initiative, enterprise data centers are being used to process and pay\nMedicare fee-for-service claims. Eventually all CMS data center operations will transition from legacy data centers\nto at most three enterprise data centers.\n\n                                                         3\n\x0c             determined whether the evaluation reports encompassed the eight FISMA control\n             areas enumerated in section 1874A(e)(1) of the Act.\n\n        \xe2\x80\xa2    To assess the sufficiency of the data center technical assessments, we reviewed\n             supporting working papers to verify that JANUS completed all test procedures,\n             reported all medium- and high-risk gaps, and adequately supported all reported results\n             with sufficient and appropriate evidence. 3\n\n        \xe2\x80\xa2    To report on the results of the JANUS evaluations and technical assessments, we\n             aggregated the results contained in the individual contractor evaluation reports and\n             data center technical assessment reports. We used the business risks listed in the\n             individual technical assessment reports to aggregate the results. For the PwC\n             evaluations, we used the number of gaps listed in the individual contractor evaluation\n             reports to aggregate the results. In some instances, several gaps were noted under\n             FISMA control subcategories. We counted duplicate gaps listed in a FISMA control\n             area only once.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards, except that we did not obtain comments from JANUS or PwC. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit objectives. We\nbelieve that the evidence obtained provides a reasonable basis for our findings and conclusions\nbased on our audit objectives.\n\n                                          RESULTS OF REVIEW\n\nPwC\xe2\x80\x99s evaluations of the contractor information security programs were adequate in scope and\nsufficiency. We could not determine the scope and sufficiency of the JANUS work for the data\ncenter technical assessments because of several issues with its working papers. PwC reported a\ntotal of 161 gaps at 26 Medicare contractors. JANUS reported a total of 48 gaps at 8 data\ncenters.\n\nASSESSMENT OF SCOPE AND SUFFICIENCY\n\nPwC\xe2\x80\x99s evaluations of the contractor information security programs adequately encompassed in\nscope and sufficiency the eight FISMA requirements referenced in section 1874A(e)(1) of the\nAct.\n\nWe could not determine the scope and sufficiency of the JANUS work for many of the data\ncenter technical assessments because of several issues with its working papers. CMS\xe2\x80\x99s contract\nwith JANUS provided for the planning, development, and implementation of a comprehensive\nprogram to perform testing of information security controls at Medicare data centers.\n\n3\n  We present the results of the Medicare contractor information security program evaluations in terms of gaps,\nwhich are defined as the differences between FISMA or CMS core security requirements and the contractors\xe2\x80\x99\nimplementation of those requirements.\n\n\n                                                         4\n\x0cThe test plan documentation supplied by JANUS for five of the eight data centers (63 percent)\ndid not contain sufficient evidence that all of the testing procedures had been performed.\nSpecifically, JANUS did not always indicate whether it actually completed each testing\nprocedure. Additionally, for four of the eight data centers (50 percent), we were unable to trace\nall gaps presented in JANUS\xe2\x80\x99s reports to supporting evidence because of illegible handwriting\nand missing documented test scripts. Lastly, for four of the eight data centers (50 percent), we\nwere not able to determine whether JANUS included all medium- and high-risk gaps in the\nrespective reports because of incomplete or undocumented elements in the JANUS working\npapers. For two data centers, JANUS omitted from its reports gaps identified during testing. See\nAppendix A for our analysis of the JANUS data center assessments.\n\nRESULTS OF MEDICARE CONTRACTOR INFORMATION SECURITY PROGRAM\nEVALUATIONS\n\nAs shown in Table 2, the 26 evaluation reports identified a total of 161 gaps. The average\nnumber of gaps per contractor was six. The number of gaps per contractor ranged from 0 to 27\nfor FY 2008. See Appendix B for a list of gaps per control area by contractor.\n\n                        Table 2: Range of Medicare Contractor Gaps\n                                       Number of Contractors With\n                        Total                     2\xe2\x80\x935      6\xe2\x80\x939    10+\n                FY      Gaps     0 Gaps 1 Gap     Gaps    Gaps    Gaps\n               2007      112        1     8        18        1     3\n               2008      161        4     3         8        6     5\n\nThe number of gaps reported in the PwC FY 2008 evaluation reports increased by 44 percent\nwhen compared to the results for FY 2007. While the number of contractors with no gaps\nincreased by 3 (300 percent), the number of contractors with 10 or more gaps increased by\n2 (67 percent). See Appendix C for the FYs 2007\xe2\x80\x932008 percentage change in gaps per Medicare\ncontractor.\n\nTable 3 summarizes the gaps found in each FISMA control area in FYs 2007 and 2008. Six of\nthe eight FISMA control areas had an increase in gaps for FY 2008. (Appendix D summarizes\nthe changes in a graph.)\n\n\n\n\n                                               5\n\x0c      Table 3: Gaps by Federal Information Security Management Act Control Area\n                                                                                      No. of\n                                                                                 Contractors With\n                                          Impact Levels   No. of Gaps               One or More\n                                            of FISMA       Identified                 Gap(s)\n                FISMA                     Control Area   FY         FY            FY         FY\n             Control Area                 Subcategories 2007       2008          2007      2008\n  Periodic risk assessments               High/Medium     1         2              1         2\n  Policies and procedures to reduce\n                                               High           19        23        15           14\n  risk\n  Security program and system\n                                           High/Medium        21        31        17           16\n  security plans\n  Security awareness training                 Medium          17        14        10             9\n  Testing of information security\n                                               High           39        50        19           20\n  controls\n  Remedial actions                             High            0        15          0            9\n  Incident response                            High            3         1          3            1\n  Continuity of operations planning        High/Medium        12        25          4           11\n    Total                                                    112       161\n\nThe Medicare contractor information security program evaluations covered several subcategories\nwithin each FISMA control area. The \xe2\x80\x9cimpact level\xe2\x80\x9d shown in Table 3 refers to the possible\nlevel of adverse impact that could result from successful exploitation of gaps in any of the\nFISMA controls area subcategories depending on the organization\xe2\x80\x99s mission and criticality and\nthe sensitivity of the systems and data involved. CMS and independent auditors developed\nratings of high, medium, or low impact for the subcategories of the FISMA control areas. The\nactual ratings assigned to the subcategories were all high or medium impact and were PwC\xe2\x80\x99s\nassessments. It is important to note that the impact levels were assigned to subcategories of the\nFISMA control areas, not to individual gaps identified within the control areas or subcategories.\nIndividual gaps were assigned an overall risk level on a subjective basis by PwC after taking into\nconsideration the impact and likelihood of occurrence. However, as stated in NIST Special\nPublication (SP) 800-115, Technical Guide to Information Security Testing and Assessment,\nsection 4.3, it is difficult to identify the risk level of individual vulnerabilities because they rarely\nexist in isolation.\n\nThe following sections discuss the four FISMA control areas containing the most gaps. See\nAppendix E for descriptions of each subcategory tested.\n\nTesting of Information Security Controls\n\nAccording to NIST SP 800-53, Recommended Security Controls for Federal Information\nSystems and Organizations, Control CA-2, the effectiveness of information security policies,\nprocedures, practices, and controls should be tested and evaluated at least annually. NIST\nSP 800-115, section 2.3, notes that security testing enables organizations to measure levels of\ncompliance in areas such as patch management, password policy, and configuration\n\n                                                   6\n\x0cmanagement. According to GAO\xe2\x80\x99s FISCAM, section 3.3, changes to an application should be\ntested and approved before being put into production.\n\nSix of the twenty-six Medicare contractors had no identified gaps in the testing of information\nsecurity controls, while the remaining 20 had 1 to 5 gaps each. In total, 50 gaps were identified\nin this area, with all 50 gaps assigned to high-impact subcategories.\n\nFollowing are examples of gaps in testing of information security controls:\n\n   \xe2\x80\xa2   The individual performing the changes to supplemental claims processing software also\n       moved the changes into production.\n\n   \xe2\x80\xa2   Information technology (IT) weaknesses identified by the contractor during a review\n       were not being tracked.\n\n   \xe2\x80\xa2   The contractor did not perform an annual evaluation of platform configuration\n       management procedures.\n\nWithout a comprehensive program for periodically testing and monitoring of information\nsecurity controls, management has no assurance that appropriate safeguards are in place to\nadequately mitigate identified risks.\n\nSecurity Program and System Security Plans\n\nNIST SP 800-100, Information Security Handbook: A Guide for Managers, section 2.2.5, states\nthat an agency should ensure its information security policy is sufficiently current to\naccommodate the information security environment and the agency mission and operational\nrequirements. Federal Information Processing Standards (FIPS) 200, Minimum Security\nRequirements for Federal Information and Information Systems, and NIST SP 800-53, Control\nPS-3, require organizations to screen employees before granting access to information and\ninformation systems.\n\nThe Executive Summary of NIST SP 800-18, Guide for Developing Security Plans for Federal\nInformation Systems, states that system security plans should provide an overview of a system\xe2\x80\x99s\nsecurity requirements and describe the controls in place or planned for meeting those\nrequirements.\n\nTen of the twenty-six Medicare contractors had no identified gaps in security program and\nsystem security plans, while the remaining 16 had 1 to 5 gaps each. In total, 31 gaps were\nidentified in this area. Twenty-two gaps were assigned to high-impact subcategories.\n\nFollowing are examples of gaps in security programs and system security plans:\n\n   \xe2\x80\xa2   The contractor did not complete background investigations for all selected employees\n       before their hire date.\n\n\n                                                7\n\x0c   \xe2\x80\xa2   A process for tracking and establishing corrective actions for weaknesses identified during\n       vulnerability scanning was not in place.\n\n   \xe2\x80\xa2   Not all security professionals received job-specific training.\n\nIf information security program requirements are not implemented and enforced, management\nhas no assurance that established system security controls will be effective in protecting valuable\nassets, such as information, hardware, software, systems, and related technology assets that\nsupport the organization\xe2\x80\x99s critical missions.\n\nContinuity of Operations Planning\n\nAccording to NIST SP 800-34, Contingency Planning Guide for Federal Information Systems,\nsection 2.2, contingency planning represents a broad scope of activities designed to sustain and\nrecover critical information technology services following an emergency. Contingency planning\nfor information systems is part of an overall organizational program for achieving continuity of\noperations for business operations.\n\nFifteen of the twenty-six Medicare contractors had no identified gaps in continuity of operations\nplanning, while the remaining 11 had 1 to 9 gaps each. In total, 25 gaps were identified in this\narea, with 13 gaps assigned to a high-impact subcategory. Following are examples of gaps in\ncontinuity of operations:\n\n   \xe2\x80\xa2   Business continuity plans had not undergone a recovery exercise within the previous\n       year.\n\n   \xe2\x80\xa2   The contingency plan did not include the identification of all critical hardware and\n       software resources.\n\n   \xe2\x80\xa2   Not all data center employees received emergency response training in a timely manner.\n\nPolicies and Procedures To Reduce Risk\n\nAccording to NIST SP 800-30, Risk Management Guide for Information Technology Systems,\nsection 1.2, risk management is the process of identifying and assessing risk and taking steps to\nreduce risk to an acceptable level. Controls CM-6 and SI-2 in NIST SP 800-53 require\norganizations to establish mandatory security configuration settings for IT products, monitor and\ncontrol changes to the configuration settings, and promptly install newly released\nsecurity-relevant patches and service packs.\n\nTwelve of the twenty-six Medicare contractors had no identified gaps in policies and procedures\nto reduce risk, while the remaining 14 had 1 to 2 gaps each. In total, 23 gaps were identified in\nthis area, with all 23 gaps assigned to a high-impact subcategory. Following are examples of\ngaps in policies and procedures to reduce risk:\n\n\n\n                                                 8\n\x0c   \xe2\x80\xa2   The contractor did not have a documented process in place to formally track, monitor,\n       and resolve those settings identified as \xe2\x80\x9cnoncompliant\xe2\x80\x9d with the baseline configurations.\n\n   \xe2\x80\xa2   Vulnerability assessments were not completed on the entire Medicare environment on a\n       quarterly basis.\n\n   \xe2\x80\xa2   The contractor did not formally document baseline configurations for system platforms,\n       and there was no evidence that the configurations were reviewed, updated, or approved.\n\nIneffective policies and procedures to reduce risk could jeopardize an organization\xe2\x80\x99s ability to\nperform its mission, as well as to safeguard its information and IT assets. Without adequate\nconfiguration standards and the latest security patches, systems may be susceptible to\nexploitation that could lead to unauthorized disclosure, modification, or nonavailability of data.\n\nRESULTS OF DATA CENTER TECHNICAL ASSESSMENTS\n\nWe present the results of the data center technical assessments in terms of gaps, which are\ndefined as the differences between FISMA or CMS core security requirements and the\ncontractors\xe2\x80\x99 implementation of those requirements. As shown in Table 4, the eight Medicare\ndata center technical assessment reports identified a total of 48 gaps. The average number of\ngaps per data center was 6. The number of gaps per data center ranged from 1 to 16.\n\n                              Table 4: Range of Data Center Gaps\n                                    Number of Data Centers With\n                      Total            1\xe2\x80\x935      6\xe2\x80\x9310    11\xe2\x80\x9320   21\xe2\x80\x9330             31-40\n             FY       Gaps     0 Gaps Gaps     Gaps     Gaps    Gaps              Gaps\n            2007       199        0     0         3       7       2                 1\n            2008        48        0     4         2       2       0                 0\n\nFor FY 2008, CMS contracted with JANUS to evaluate NIST security controls at eight data\ncenters. At seven data centers, JANUS\xe2\x80\x99s testing was limited to a policy and procedure review\nonly, which included testing the following six NIST security control areas:\n\n   \xe2\x80\xa2   Contingency planning\n\n   \xe2\x80\xa2   Configuration management\n\n   \xe2\x80\xa2   Audit and accountability\n\n   \xe2\x80\xa2   System and information integrity\n\n   \xe2\x80\xa2   Risk assessment\n\n   \xe2\x80\xa2   Security planning\n\n\n                                                 9\n\x0cAt one enterprise data center, JANUS\xe2\x80\x99 testing included six different NIST security controls in\naddition to a penetration test of the mainframe and distributed systems:\n\n   \xe2\x80\xa2   Access control\n\n   \xe2\x80\xa2   Identification and authentication\n\n   \xe2\x80\xa2   System and communication protection\n\n   \xe2\x80\xa2   Physical and environmental protection\n\n   \xe2\x80\xa2   Personnel security\n\n   \xe2\x80\xa2   E-authentication\n\nJANUS assigned each of the gaps to one of the security control areas. In a manner similar to that\nof PwC, JANUS categorized the risks associated with the individual gaps as high, medium, or\nlow based on the potential impact and likelihood of exploitation. Of the 48 gaps JANUS\nidentified across all 8 data centers, 0 gaps were high risk, 12 gaps were medium risk, and 36 gaps\nwere low risk. Ten gaps were resolved and closed during or after JANUS\xe2\x80\x99s onsite visits to the\ndata centers, including two medium-risk gaps and eight low-risk gaps. Hence, there were a total\nof 38 gaps at data centers requiring corrective action in FY 2008.\n\nThe total number of gaps identified in FY 2008 (48) was significantly lower than the number\nidentified in FY 2007 (199), a decrease of 151 gaps. This was due to the decrease in the number\nof data centers reviewed (13 in FY 2007, 8 in FY 2008) and the number of categories and\nspecific security control categories tested in FY 2008. We did not perform a detailed comparison\nof the number of gaps identified within the security control categories tested for the 2 FYs\nbecause the same categories were not tested by JANUS at all operational data centers in\nFY 2008. CMS uses a rotational approach in performing its technical assessments of data\ncenters. Some categories are not tested every year.\n\nTable 5 presents the aggregate results reported for the eight data centers. Appendix F shows the\nnumber of reported gaps at each data center by security control area.\n\n\n\n\n                                               10\n\x0c                             Table 5: Data Center Reported Gaps by\n             National Institute of Standards and Technology Security Control Area\n                                     No. of               No. of    No. of\n                                      Data    Total No.   High- Medium-       No. of\n            Security Control        Centers    of Gaps     Risk      Risk    Low-Risk\n                  Area              w/ Gaps Identified     Gaps     Gaps       Gaps\n        Contingency planning            5             9         0           0           9\n        Configuration management        3             5         0           1           4\n        Audit and accountability        3          15           0           4         11\n        System and information\n                                        2             3         0           1           2\n        integrity\n        Security planning               3             5         0           3           2\n        Access control                  1             7         0           3           4\n        Identification and\n                                        1             3         0           0           3\n        authentication\n        System and\n                                        1             1         0           0           1\n        communications protection\n         Total                                     48           0          12         36\n\nNote: JANUS did not report any gaps in the NIST security area of risk assessment for the seven\ndata centers in which the area was tested. JANUS did not report any gaps in the NIST security\ncontrol areas of physical and environmental protection, personnel security, and e-authentication\nfor the one data center in which those areas were tested.\n\nThe following sections discuss the three security control areas with the highest number of gaps.\n\nAudit and Accountability\n\nControls AC-1, AU-2, and AU-3 in NIST SP 800-53 require organizations to develop,\ndisseminate, and periodically review or update audit and accountability policies and procedures.\nThis ensures that events that need to be audited as significant and relevant to the security of the\ninformation system are identified and audit records are produced. These records should contain\nsufficient information to establish the events that occurred, the sources of the events, and the\noutcomes of the events.\n\nOne of the three data centers with audit and accountability control area gaps had 13 of the 15\ngaps in this area. Examples of gaps in this area included:\n\n    \xe2\x80\xa2    undocumented policies and procedures for logging and reporting of application-specific\n         events,\n\n    \xe2\x80\xa2    lack of documentation on audit trail data retention, and\n\n\n                                                 11\n\x0c    \xe2\x80\xa2   failure to assign responsibility for periodic review of audit and accountability policies\n        and procedures.\n\nContingency Planning\n\nAccording to the Executive Summary of NIST SP 800-34, without complete and up-to-date\ncontingency plans, the data centers cannot be assured that their systems can be quickly and\neffectively recovered following a disruption. The contingency plans should contain detailed\nguidance and procedures for restoring a damaged system.\n\nOf the seven data centers in which contingency planning was tested, five had control gaps in the\narea of contingency planning. Examples of gaps in this area included:\n\n   \xe2\x80\xa2    significant information and resources supporting critical and sensitive operations were\n        not identified and documented in the business continuity plan,\n\n   \xe2\x80\xa2    there were discrepancies in the recovery time objectives, and\n\n   \xe2\x80\xa2    there were insufficient alternate processing site agreements.\n\nAccess Control\n\nAccording to GAO\xe2\x80\x99s FISCAM, section 3.2, inadequate access controls diminish the reliability of\ncomputerized data and increase the risk of destruction or inappropriate disclosure of data. Gaps\nin access control create vulnerabilities in the confidentiality, integrity, and availability of\nMedicare data and systems. Associated gaps in the configuration of systems software that\ncontrol access to systems can make computers vulnerable to unauthorized access.\n\nAccess control gaps were noted in the one enterprise data center that was tested for access\ncontrol. Examples of gaps in this area included:\n\n    \xe2\x80\xa2   users had the ability to read files containing personal health information and\n\n    \xe2\x80\xa2   an excessive number of users had update access to sensitive system files.\n\nCONCLUSION\n\nThe work performed by PwC to evaluate contractor information security programs adequately\nencompassed the eight FISMA requirements referenced in section 1874A of the Act. Gaps\nreported during the PwC program evaluations were supported by documented evidence.\n\nHowever, we could not determine the scope and sufficiency of the JANUS work for all of the\ndata center technical assessments because of several issues with its working papers. In many\ninstances, the documentation supplied by JANUS did not provide evidence of the testing\nprocedures performed at the data centers. The documentation JANUS provided did not always\nindicate whether JANUS actually completed each testing procedure, and cross-references to\n\n                                                 12\n\x0csupporting documentation were missing for many of the test procedures. In many cases, we\nwere unable to trace gaps presented in JANUS\xe2\x80\x99s final reports to supporting evidence. Because\nthe documentation provided by JANUS did not reasonably ensure that JANUS completed the\nwork CMS engaged it to do, we could not determine whether JANUS reported all medium- or\nhigh-risk gaps and adequately supported all gaps that were included in the reports.\n\nRECOMMENDATION\n\nWe recommend that CMS review all contractor documentation related to future data center\ntechnical assessments and ensure that the work performed complies with CMS contractual\nrequirements. At a minimum, this should include a review of test plans to ensure that the\ncontractor has completed all required testing procedures and a review of contractor working\npapers to verify that reported gaps have been adequately supported, identified, and included in\nthe technical assessment reports.\n\nCENTERS FOR MEDICARE & MEDICAID SERVICES COMMENTS\n\nIn written comments to our draft report, CMS concurred with our recommendation. CMS also\nstated that it would take the appropriate actions to address the identified issues. We have\nincluded CMS\xe2\x80\x99s comments in their entirety in Appendix G.\n\n\n\n\n                                               13\n\x0cAPPENDIXES\n\x0c                APPENDIX A: ASSESSMENT OF SCOPE AND SUFFICIENCY\n                    FOR THE JANUS DATA CENTER ASSESSMENTS\n\n                        Office of Inspector General Criteria for Assessing\n                                     JANUS Working Papers\n                     Sufficient Evidence           Sufficient\n                     That All Work Was       Documentation for All Reported All Medium-\n    Data Center         Performed?              Reported Gaps?          and High-Risk Gaps?\n         1                    No                       No                   Inconclusive1\n         2                    No                       No                   Inconclusive1\n         3                    No                      Yes                       No2\n         4                   Yes                      Yes                       Yes\n         5                   Yes                      Yes                       No2\n         6                    No                       No                   Inconclusive1\n         7                   Yes                      Yes                       Yes\n         8                    No                       No                   Inconclusive1\n1\n Because of deficiencies with JANUS working papers, we were unable to determine whether\nJANUS reported all medium- and high-risk gaps.\n2\n    JANUS omitted from the data center\xe2\x80\x99s report gaps identified during testing.\n\n\n\nJANUS Associates, Inc. = JANUS\n\x0c                                APPENDIX B: LIST OF GAPS BY\n                   FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF 2002\n                         CONTROL AREA AND MEDICARE CONTRACTOR\n\n                                             Control Areas (With Impact Levels)\n                                        Security\n                            Policies    Program\n                              and          and                  Testing of                         Continuity\n              Periodic     Procedures    System     Security   Information                             of\n                Risk       To Reduce    Security   Awareness     Security    Remedial   Incident   Operations\nMedicare     Assessments      Risk        Plans     Training     Controls     Actions   Response    Planning    Total\nContractor     (High)        (High)      (High)    (Medium)       (High)      (High)     (High)      (High)     Gaps\n    1             0             1           0          0            3            0          0          0         4\n    2             0             0           1          0            2            0          0          1         4\n    3             0             0           1          0            1            0          0          1         3\n    4             0             0           1          2            1            0          0          0         4\n    5             0             2           1          1            2            0          0          0         6\n    6             0             0           1          0            2            2          0          0         5\n    7             0             0           0          1            0            0          0          0         1\n    8             0             0           0          1            0            0          0          0         1\n    9             0             0           0          0            0            0          0          0         0\n   10             0             0           0          0            0            0          0          0         0\n   11             0             0           0          0            1            0          0          0         1\n   12             0             0           0          0            0            0          0          0         0\n   13             0             0           0          0            0            0          0          0         0\n   14             0             2           1          0            3            0          0          0         6\n   15             0             2           1          0            2            0          0          0         5\n   16             0             2           1          0            3            0          0          0         6\n   17             0             0           2          1            2            1          0          0         6\n   18             1             2           5          2            4            2          0          4         20\n   19             1             2           5          2            4            2          0          4         20\n   20             0             1           2          2            3            1          0          1         10\n   21             0             1           0          0            2            0          0          1         4\n   22             0             1           0          0            1            0          0          1         3\n   23             0             1           1          0            5            2          0          1         10\n   24             0             2           5          2            5            3          1          9         27\n   25             0             2           1          0            2            1          0          1         7\n   26             0             2           2          0            2            1          0          1         8\n  Total           2            23          31         14           50           15          1          25       161\n\n         Note: Impact levels for Federal Information Security Management Act of 2002 (FISMA)\n         control areas were derived by PricewaterhouseCoopers by taking the highest value from among\n         the subcategories.\n\x0cAPPENDIX C: PERCENTAGE CHANGE IN GAPS PER MEDICARE CONTRACTOR\n\nContractor             FY 2007 GAPS                  FY 2008 GAPS             % Change\n       1                      4                            4                        0%\n       2                      2                            4                     100\n       3                      1                            3                     200\n       4                      4                            4                       0\n       5                      1                            6                     500\n       6                      5                            5                       0\n       7                      2                            1                     (50)\n       8                    N/A                            1                     N/A\n       9                    N/A                            0                     N/A\n      10                      1                            0                    (100)\n      11                      2                            1                     (50)\n      12                      1                            0                    (100)\n      13                      0                            0                       0\n      14                     3                             6                     100\n      15                     1                             5                     400\n      16                      3                            6                     100\n      17                      4                            6                      50\n      18                    N/A                           20                     N/A\n      19                     10                           20                     100\n      20                      2                           10                     400\n      21                    N/A                            4                     N/A\n      22                      5                            3                     (40)\n      23                      3                           10                     233\n      24                     12                           27                     125\n      25                     3                             7                     133\n      26                    N/A                            8                     N/A\nContractors No\n  Longer in\n   Program                    43                            -                      -\n     Total                   112                          161                    44%\n\nNote: Contractors listed as \xe2\x80\x9cN/A\xe2\x80\x9d were new Medicare Administrative Contractors in FY 2008.\n\n\nFY = fiscal year\n\x0c        APPENDIX D: MEDICARE CONTRACTOR CHANGE IN TOTAL GAPS\n       BY FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF 2002\n                            CONTROL AREA\n\n\n         60\n         50\n         40\n                                                         FY2007\nGaps\n\n\n\n\n         30\n                                                         FY2008\n         20\n         10\n          0\n\n\n\n\n                          FISMA Control Area\n\x0c                                                                                      Page 1 of 5\n\n     APPENDIX E: RESULTS OF MEDICARE CONTRACTOR EVALUATIONS\n     FOR FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF 2002\n         CONTROL AREAS WITH THE GREATEST NUMBER OF GAPS\n\nThe \xe2\x80\x9cimpact level\xe2\x80\x9d shown in Tables 1 through 4 on the following pages refers to the level of\nadverse impact that could result from successful exploitation of a vulnerability in any of the\nFISMA control areas. Impact can be described as high, medium, or low in light of the\norganization\xe2\x80\x99s mission and criticality and the sensitivity of the systems and data involved.\nPricewaterhouseCoopers assigned a rating of high or medium impact to each of the subcategories\nin the agreed-upon procedures developed by the Centers for Medicare & Medicaid Services\n(CMS). It is important to note that the impact levels were assigned to subcategories of the\nFISMA control areas, not the individual gaps identified within the control areas or subcategories.\nIndividual gaps were assigned an overall risk level on a subjective basis by\nPricewaterhouseCoopers after taking into consideration the impact and likelihood of occurrence.\n\x0c                                                                                         Page 2 of 5\n\nTESTING OF INFORMATION SECURITY CONTROLS\n\nThe Medicare contractor information security program evaluations covered five subcategories\nrelated to the testing of information security controls. The evaluation reports identified a total of\n50 gaps in this FISMA control area.\n\n                    Table 1: Testing of Information Security Controls Gaps\n                                                        Total No. of Gaps           Subcategory\n                        Subcategory                       in This Area              Impact Level\n     Management reports exist for the review and\n     testing of information security policies and\n     procedures, including network risk assessments,\n1                                                               2                        High\n     accreditations and certifications, internal and\n     external audits, security reviews, and penetration\n     and vulnerability assessments.\n     Annual reviews and audits are conducted to\n     ensure compliance with FISMA guidance from\n     the Office of Management and Budget for\n2    reviews of security controls, including logical           17                        High\n     and physical security controls, platform\n     configuration standards, and patch management\n     controls.\n     Remedial action is being taken for issues noted in\n3                                                               6                        High\n     audits.\n4    Change control procedures exist.                           6                        High\n     Change control procedures are tested by\n5                                                              19                        High\n     management to ensure they are in use.\n       Total                                                   50\n\x0c                                                                                       Page 3 of 5\n\nSECURITY PROGRAM AND SYSTEM SECURITY PLANS\n\nThe Medicare contractor information security program evaluations assessed 10 subcategories\nrelated to security program and system security plans. The evaluation reports identified a total of\n31 gaps in this FISMA control area.\n\n                 Table 2: Security Program and System Security Plan Gaps\n                                                       Total No. of\n                                                       Gaps in This  Subcategory Impact\n                        Subcategory                       Area             Level\n 1   A security plan is documented and approved.            0               High\n     A security management structure has been\n 2                                                          2               High\n     established.\n     Information security responsibilities are clearly\n 3                                                          3               High\n     assigned.\n 4   Owners and users are aware of security policies.       0               High\n     Hiring, transfer, termination, and performance\n 5                                                          0               High\n     policies address security.\n     Management has documented that it periodically\n     assesses the appropriateness of security policies\n 6                                                          9               High\n     and compliance with them, including testing of\n     security policies and procedures.\n     Management ensures that corrective actions are\n 7                                                          8               High\n     effectively implemented.\n 8   The plan is kept current.                              1             Medium\n 9   Employee background checks are performed.              5             Medium\n     Security employees have adequate security\n10                                                          3             Medium\n     training and expertise.\n       Total                                               31\n\x0c                                                                                        Page 4 of 5\n\nCONTINUITY OF OPERATIONS PLANNING\n\nThe Medicare contractor information security program evaluations assessed 13 subcategories\nrelated to continuity of operations planning. The evaluation reports identified a total of 25 gaps\nin this FISMA control area.\n\n                       Table 3: Continuity of Operations Planning Gaps\n                                                      Total No. of\n                                                      Gaps in This   Subcategory Impact\n                       Subcategory                        Area             Level\n1    Emergency processing priorities are established.           0                   High\n     Adequate environmental controls have been\n2                                                               0                   High\n     implemented.\n     Hardware maintenance, problem management,\n3    and change management procedures exist to                  2                   High\n     help prevent unexpected interruptions.\n     Policies and procedures for disposal of data and\n4    equipment exist and include applicable Federal             0                   High\n     security and privacy requirements.\n5    An up-to-date contingency plan is documented.              3                   High\n\n6    The plan is periodically tested.                           5                   High\n     Results are analyzed and contingency plans\n7                                                               2                   High\n     adjusted accordingly.\n     Physical security controls exist to protect\n8                                                               1                   High\n     information technology resources.\n     Critical data and operations are formally\n9                                                               1                  Medium\n     identified and prioritized.\n     Resources supporting critical operations are\n10                                                              2                  Medium\n     identified in contingency plans.\n     Data and program backup procedures have been\n11                                                              1                  Medium\n     implemented.\n     Staff has been trained to respond to\n12                                                              7                  Medium\n     emergencies.\n     Arrangements have been made for alternate data\n13                                                              1                  Medium\n     processing and telecommunications facilities.\n      Total                                                    25\n\x0c                                                                                        Page 5 of 5\n\nPOLICIES AND PROCEDURES TO REDUCE RISK\n\nThe Medicare contractor information security program evaluations assessed four subcategories\nrelated to policies and procedures to reduce risk. The evaluation reports identified a total of 23\ngaps in this FISMA control area.\n\n                   Table 4: Policies and Procedures To Reduce Risk Gaps\n                                                        Total No. of Gaps         Subcategory\n                      Subcategory                         in This Area            Impact Level\n    Documentation exists that outlines reducing the\n1   risk exposure identified in periodic risk                    0                    High\n    assessments.\n    Systems security controls have been tested and\n2   evaluated. The system/network boundaries                     3                    High\n    have been subjected to periodic reviews/audits.\n    All gaps in compliance per CMS\xe2\x80\x99s core\n3   security requirements are identified in the                  2                    High\n    results of management\xe2\x80\x99s compliance checklist.\n    Security policies and procedures include\n4   controls to address platform security                       18                    High\n    configurations and patch management.\n      Total                                                     23\n\x0c  APPENDIX F: LIST OF GAPS BY NATIONAL INSTITUTE OF STANDARDS AND\n       TECHNOLOGY SECURITY CONTROL AREA AND DATA CENTER\n\n                                                Data    Center\n NIST Security\n                                                                                        Total Gaps\n Control Area          1       2        3        4        5      6        7        8\n    Contingency\n      Planning         1       0        1        5        0      1        1        0         9\n   Configuration\n   Management          1       0        0        1        0      3        0        0         5\n     Audit and\n   Accountability      0       13       0        0        1      1        0        0        15\n    System and\n    Information\n      Integrity        2       0        0        0        0      1        0        0         3\n  Security Planning    1       3        0        0        0      1        0        0         5\n   Access Control      0       0        0        0        0      0        0        7         7\n  Identification and\n   Authentication      0       0        0        0        0      0        0        3         3\n     System and\n  Communications\n     Protection        0       0        0        0        0      0        0        1         1\n        Total          5       16       1        6        1      7        1       11        48\n\nNote: JANUS did not report any gaps in the NIST security control area of risk assessment for\nthe seven data centers in which the area was tested. JANUS did not report any gaps in the NIST\nsecurity control areas of physical and environmental protection, personnel security, and\ne-authentication for the enterprise data center in which those areas were tested.\n\nNIST = National Institute of Standards and Technology\n\x0c                                                                                                                Page 1 of 4\n\n\nAPPENDIX G: CENTERS FOR MEDICARE & MEDICAID SERVICES COMMENTS \n\n\n\n   , ......., \t\n   (-:J-          D"\'\'\'\'\'ENT OF HEALTH. HUMAN SERVICES \n\n\n                                                                                       Ad",ini.t\xe2\x80\xa2\xe2\x80\xa2 fD.\n                                                                                       W.~DC         20201\n\n\n\n\n             PATE,           DEC 2 0 2011\n\n             TO: \t         Daniel R. Lcvin50fl \n\n                           Inspector General \n\n\n             FROM: \t       Dona.ld. M. IkrwiCk,.!1~\n                           AdminIstrator     -\n                                                   .. .Jj                 f\'L\n                                                                          I   ~\n                                                                                ~\n             SUBJECT: \t Office oflnspeclor (kr=al (OIG) Draft Report - Review ofMedic:art COII/fUCIO,\n                           InjormoJion &cw-ily Program \xc2\xa3>\'(lIumlonsjor Piscal rear 2008 (A-l 8-09-)0200)\n\n             Thank you for !be opponwtity 10 review the subject oro draft repan ti tled, Re,-iew o[Medicore\n             COn/raetor "iformatio"Set;"\'iry Program E\'\'I1lualiorlSjor Fiscal Year (FY) 2008 (A.18\xc2\xb709\xc2\xad\n             302(0).\n\n             hi summary, the 01G found thatlhc work performed by Priccw3tefhouscCoopers(PwC) \\0\n             c\\\'aIWIlC informalion .w:cunly prognuns at the Medicare administnlli\'1: ro.nraclors (MACs).\n             fiscal inlmnediaries, and carriers, iOdeqWl.\\cly el>C<lmpassed lite eight Federal !nformalj,;m\n             Securily Management Act (FISMA) requirements referenced in section 1874A of the Ac\\. ~\n             Medicare CQntnlCWT\'!; process and poy Medicare fee-for-service claims, Ho....ever, OIG was nol\n             able 10 delenninc!he scope and sufficiency ormc work perfo~ by JANUS Associales, Inc,\n             (JANUS) 10 tesl segments of the claims processing systems because of several issues witll ils\n             working pllpeTS.\n\n             The Centers for Medicare &. Medicaid Servi~ (CMS) concurs v.ith me OIO\'s finding and\n             n:ocommendation to ~vicw all contractor do<;umnllation ~Iated to futu~ daU! center 1\xc2\xablInical\n             assessmentS and ensure lhallhe "\'\'(Irk performed complies wilh CMS contmclual requi~menl$,\n             CMS ....iIl continuo: to rc:view all documenU!tion related to contJa<;lOr Security Test and\n             E\'\'llluation (ST&E) documentation and ensure lhat sile lest plans, working papers, draft ~JlOIU,\n             seripts, fioal reports, elc_are ~viewed thoroughly duri ng and aftcroompldion of audits.\n\n              Attached are cffitial comments from the Centers for Medi= &. Medicaid Services. If you have\n              any questions regarding these comments. please conlacl C. Ryan BrewC1", Chief Information\n              Security Officer. at (4 10)786-2614.\n\n              ~,\n\n              C. Ryan BrcwC1", CISO, Di=lor, OTSIOCISO\n\n              Attachment\n\x0c                                                                                                 Page 2 of 4\n\n\n\n\nOIG RECOMMENDATION\n\nWe recommend that eMS review all COnlractor documentation related to fulure data center\ntechnical assessments and ensure that the work perfonned complies with eMS contractual\nrequirements. At a minimum, this should include (I review of test plans to ensure that the\ncontractor has completed all required testing procedures and a review of contractor working\npapers \\0 verify that reponed gaps have been adequately supported, identified, and included in\nthe technical assessment reports.\n\n\neMS RESPONSE:\n\nThe eMS concurs with the OIG recommendation and provides infonnation on eMS review of\ncontractor documentation. e MS will continue to review all documentalion related \\0 contractor\nSecurity Test and Evaluation (ST&E) documentation and ensure that sile test plans. working\npapers. draft reports, scripts, final reports. elc. are reviewed thoroughly during and afler\ncompletion of audits. The following list depicts the reviews performed on docwnentation\nprovided to CMS for the FY 2008 - FY 2010 ST&E audits. The Office of lnfonnation Systems\n(OISfEDCG) at CMS reviews all ST&E docwnentation related to ST&E audits.\n\nFor FY 2008 - ST&E contractor J.lDUS Associ.ltes, CMS reviewed the following:\n    \xe2\x80\xa2 \t Palmetto GBA - 6 control families tested for phase 2 controls\n    \xe2\x80\xa2 \t Quality Nel - 6 control fami lies tested for phase 2 controls\n    \xe2\x80\xa2 \t Highmark -6 control families tested for phase 2 controls\n    \xe2\x80\xa2 \t Vcri:wn - 5 control families tested for phase I controls\n    \xe2\x80\xa2 \t BCBS Florida - 6 control families tested for phase 2 controls\n    \xe2\x80\xa2 \t Baltimore Data Center - 6 control families tested plus pen test for phase I controls\n    \xe2\x80\xa2 \t Tulsa (EDS) Data Center - 6 control families tested for phase 2 contro ls\n    \xe2\x80\xa2 \t Plano (MCS) Data Center - 6 contro l families tested fOf phase 2 controls\n    \xe2\x80\xa2 \t Colwnbia (CDS) Data Centcr - 6 control families tested fOf phase I controls\n    \xe2\x80\xa2 \t NOS - 6 control fam ilies tested for phase 2 controls\n    \xe2\x80\xa2 \t Mutual of Omaha - 6 contro l families tested for phase 2 controls\n\n For FY 2009- ST&E contractor IFed LLC, CMS reviewed the following:\n     \xe2\x80\xa2 \t Tulsa (EDS)- 6 control families tested for phase 3 controls (re-cert)\n     \xe2\x80\xa2 \t Columbia (CDS) Data Center - 12 control families tested for phase 2 and phase 3\n         controls (re-cert)\n     \xe2\x80\xa2 \t Palmetto - 6 control famil ies tested for phase 3 controls\n     \xe2\x80\xa2 \t WPS (Mutual of Omaha) - 6 control families tested for phase 3 controls\n     \xe2\x80\xa2 \t NOS - 6 control families tested for phase 3 controls\n     \xe2\x80\xa2 \t Cahaba - 6 control families tested for phase I controls\n     \xe2\x80\xa2 \t Baltimore Data center - 6 control families tested pl us pen test for phase 2 controls\n\x0c                                                                                                    Page 3 of 4\n\n\n\n\nFor FY 2010 - ST&E contractor ired LLC, eMS reviewed the following:\n   \xe2\x80\xa2 Tulsa (EDS) - 5 control fami lies tested for phase I contro ls\n   \xe2\x80\xa2   Columbia (CDS) Data Cenler - 5 control families tested fOT phase 1 controls\n   \xe2\x80\xa2   Baltimore Data Center - 6 control families tested [or phase 3 controls\n\nll1c eMS continues to test control areas wllere deficiencies occurred in previous fiscal years.\nControl areas are selected based on the pha$c of the audit cycle. For fiscal years 2008 and 2009,\neMS conccntrnled on testing repeat controls for tile Enterprise Data Centers (HP Tulsa. CDS\nColumbia, and the Baltimore Data Center). The practice of retesting controls for problem areas\nin the EDC\'s continues with the FY 2010 ST&E audits. The following list depicts the controls\ntested in FY 2008 and FY 2009 at the remaining Icgacy Medicarc data Centers and the EDC\'s.\n\nControls TH ted 2008;\n\nBeBS Florida. Palmetto GBA, Mutual of Omaha, Plano (MeS) Data center, Quality Net, Tulsa\nData Center, Highmark, and NGS:\n       Audit and Accountability (AU) - Technical\n       Configuration Managcment (CM) - Operational\n       Contingency Planning (C P) - Opera/ional\n       Planning (PL)\xc2\xb7 Management\n       Risk Assessment (RA) - Management\n       System and Information Integrity (SI). Operational\n\nColwnbia Data Center and Baltimorc Data Ccnter\n      Access Control (AC) - Technical\n      Identification and Authentication (lA) - Technical\n      Personal Security (PS) - OperOflOMI\n      Physical and Envi ronmental Protection (PE) - Operational\n      System and Communications Protection (SC) - Technical\n\nCODtrol ~   THttd 2009:\n\nTulsa Data Cemer, Palmetto GBA, WPS. NGS. Cahaba: \n\n       Awareness and T raining (A1) - Operational \n\n       Security Assessment and Authori zation (CA) - MalUlgemen/ \n\n       Incident Response (IR) - Opera/ioMI \n\n       MaimetlllOCe (MA) - Operationol \n\n       Media Prote<:tion (MP) - Opera/ional \n\n       System and Services Acquisi tion (SA)\xc2\xb7 M<JJlllgcment \n\n\n\n Columbia Dala CenteT:\n        Awareness and Tmining (A1) - OperaJional\n        Audit and Accountability (AU) - Technical\n        Security Assessment and Authorization (CA) - Management\n        Configlll\'1ltion Management (CM)- OperQliQnal\n\x0c                                                                                                 Page 4 of 4\n\n\n\n\n       Contingency Planning (CP) - Opera/lonal \n\n       Incident Response (IR) - Opera/iunol \n\n       Maintenance (MA) - Opuational \n\n       Media Protection (MP) - Operational \n\n       Planning (PL) \xe2\x80\xa2 Management \n\n       Risk Assessment (RA) - Management \n\n       System and Services AcquiSition (SA) - Management \n\n       System and Information Integrity (SI) - Operational \n\n\nModified testing was performed due 10 the A-123 testing of same control s and e MS was able to\ninherit a portion oflhe A- I23 work.\n\nBaltimore Data Center:\n       Audit and Accountability (AU) - Technical\n       Configuration Management (eM) - OperOliOn4/\n       Contingency Planning (C P) - Operaliurwl\n       Planning (PL) - Management\n       Risk Assessment ( RA) - Management\n       System and In form ation Integrity (51) - Operational\n\nControl! T esled 201U:\n\nTulsa Data Center:\n       Access Control (Ae) - Technical\n       Identification and Authenti cation (IA) \xe2\x80\xa2 Techn ical\n       Personal Secwity (PS) - Operational\n       Physica l and Environmental Protect ion ( PE) - Opera/ional\n       System and Communications Protection (SC) - Techn ical\n\nColumbia Data Center:\n      Access Control (AC) - Technical\n      Identification and Authentication (IA) - Technical\n      Personal Securi ty (PS) - Opera/ional\n      Physical and Envi ronmental Protection (P E) - Opera/ional\n      System and Communications Protection (SC) - Technical\n\nBaltimore Data Center: \n\n       Awareness and Trai ning (AT) - Operalional \n\n       Security Assessment and Authorization (CA) - Management \n\n       Incident Response ( rR) - Operational \n\n       Maintenance (MA) - Operational \n\n       Med ia Protection (MP) - Operational \n\n       System and Services Acquisition (SA) - Managemem \n\n\x0c'